IP Address: Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information


Attacker, Scanner

Services Targeted



Outgoing Connection HTTP Human Log Tampering DNS Query User Created SSH 17 Shell Commands Successful SSH Login Download Operation Download and Execute Malicious File

Associated Attack Servers

v69.16mb.com zhtwwpqt6ci62n5o.onion.to your-server.de qcuifb2klqqkwc5q.onion.cab lmco62zvt7fnezd5.onion.nu zhtwwpqt6ci62n5o.onion.cab qcuifb2klqqkwc5q.onion.link xmr.pool.minergate.com startdedicated.de zlha65umg7qmprg6.onion.link lmco62zvt7fnezd5.onion.link hukot.net tqz3y4w3eq4wi2ay.onion.to 6ppk2oii4hsweqb7.onion.to xphkxaiz233pjoto.onion.to

Basic Information

IP Address






United States


Created Date


Updated Date




First seen in Guardicore Centra


Last seen in Guardicore Centra


What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SSH with the following credentials: root / ********** - Authentication policy: White List

Successful SSH Login

Log File Tampering detected from /bin/bash on the following logs: /var/log/secure, /var/log/lastlog and /var/log/wtmp

Log Tampering

User mysqld was created with the password *********

User Created

Process /usr/bin/wget generated outgoing network traffic to: 2 times

Outgoing Connection

The file /tmp/.b was downloaded and executed

Download and Execute

The file /tmp/.b was downloaded and executed 2 times

Download and Execute

The file /tmp/xh was downloaded and executed

Download and Execute

Process /tmp/.b attempted to access domains: xmr.pool.minergate.com

DNS Query

Process /tmp/.b generated outgoing network traffic to: and

Outgoing Connection

/tmp/xh was identified as malicious by YARA according to rules: Malw Miscelanea Linux and Maldoc Somerules

Malicious File

/tmp/.b was identified as malicious by YARA according to rules: Crypto Signatures

Malicious File

Associated Files


SHA256: c3ef8a6eb848c99b8239af46b46376193388c6e5fe55980d00f65818dba0b047

168896 bytes


SHA256: dde264cc06ebaf2b3f1740c8505d76998b3d13d6828698bb6dd94e3db32c6dfa

3205 bytes


SHA256: c2d779e3af5fb536116eaf529f448e2cbbd5462914089cee52de5ee291cd753e

4390176 bytes


SHA256: 19497073d8dad041bc41620bbb7954cdf8c8fc7252be779683bce9cebe1006d7

4390176 bytes


SHA256: 57a00d800debbc709a3c96ca2c04dad7011805bb983868c5e7dd8e1b4f2a2d64

4390176 bytes


SHA256: b8d4721ea987582cf08147fd37e6acced139395c5f393dd577a95f7c0f51754b

4390176 bytes


SHA256: 98c27ea6ce8602916aa24ae3ecf91af2e8140a986eb38d39a0251c8f2d4b0941

4390176 bytes


SHA256: 118bcc73f2b740392af9729382f348b5d85f497424f1523c3d14b1cc57d75985

4390176 bytes


SHA256: 957bf53bc91efd4bc60c775acf5e0377f1f5ff819d818747d084f0832a140f40

4390176 bytes


SHA256: af23482c1e7653739cf15d44aaca4922ba5e5e5bf820e59931f0de0ecdbc697f

1919887 bytes


SHA256: 5a8fdd61593c064737130296ec0985a115201dd8dfff12dada88f16025ba53bb

4394272 bytes


SHA256: 73444f0135a3d20ab2dc8bb6fe959ac22e26ebe5d3672cdb60d7ec5fcf32d4c9

4390176 bytes


SHA256: 20682c6a79c57eeef7afd6ed836d2dd9bd146c9e4a4e19532d54922baab5c66d

4390176 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address:​Previously Malicious